From 1ccf31557932ede045f3c2d7bcdac533c5176f18 Mon Sep 17 00:00:00 2001 From: Wayne Thayer Date: Fri, 20 Apr 2018 14:00:32 -0700 Subject: [PATCH] Fixes issue #26 --- rootstore/policy.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rootstore/policy.md b/rootstore/policy.md index d5a04dd..13b1fff 100644 --- a/rootstore/policy.md +++ b/rootstore/policy.md @@ -454,6 +454,11 @@ refers to any organization or legal entity that is in possession or control of a certificate that is capable of being used to issue new certificates. +Subordinate CA certificates created after January 1, 2019: +* MUST contain an EKU extension; and, +* MUST NOT include the anyExtendedKeyUsage KeyPurposeId; and, +* MUST NOT include both the id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in the same certificate. + These requirements include all cross-certified certificates which chain to a certificate that is included in Mozilla’s CA Certificate Program.